Examples with X509ByteExtensionWrapper org.candlepin.pki.X509ByteExtensionWrapper used on opensource projects

Search in sources :

Example 6 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class BouncyCastlePKIUtility method createX509Certificate.

@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws GeneralSecurityException, IOException {
    X509Certificate caCert = reader.getCACert();
    byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
    X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()), serialNumber, startDate, endDate, new X500Name(dn), SubjectPublicKeyInfo.getInstance(publicKeyEncoded));
    // set key usage - required for proper x509 function
    KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment);
    // add SSL extensions - required for proper x509 function
    NetscapeCertType certType = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime);
    certGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, certType);
    certGen.addExtension(Extension.keyUsage, false, keyUsage);
    JcaX509ExtensionUtils extensionUtil = new JcaX509ExtensionUtils();
    AuthorityKeyIdentifier aki = extensionUtil.createAuthorityKeyIdentifier(caCert);
    certGen.addExtension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
    certGen.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyWriter.getSubjectKeyIdentifier(clientKeyPair, extensions));
    certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
    // Add an additional alternative name if provided.
    if (alternateName != null) {
        /*
             Why add the certificate subject again as an alternative name?  RFC 6125 Section 6.4.4
             stipulates that if SANs are provided, a validator MUST use them instead of the certificate
             subject.  If no SANs are present, the RFC allows the validator to use the subject field.  So,
             if we do have an SAN to add, we need to add the subject field again as an SAN.

             See http://stackoverflow.com/questions/5935369 and
             https://tools.ietf.org/html/rfc6125#section-6.4.4 and

             NB: These extensions should *not* be marked critical since the subject field is not empty.
            */
        GeneralName subject = new GeneralName(GeneralName.directoryName, dn);
        GeneralName name = new GeneralName(GeneralName.directoryName, "CN=" + alternateName);
        ASN1Encodable[] altNameArray = { subject, name };
        GeneralNames altNames = GeneralNames.getInstance(new DERSequence(altNameArray));
        certGen.addExtension(Extension.subjectAlternativeName, false, altNames);
    }
    if (extensions != null) {
        for (X509ExtensionWrapper wrapper : extensions) {
            // Bouncycastle hates null values. So, set them to blank
            // if they are null
            String value = wrapper.getValue() == null ? "" : wrapper.getValue();
            certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DERUTF8String(value));
        }
    }
    if (byteExtensions != null) {
        for (X509ByteExtensionWrapper wrapper : byteExtensions) {
            // Bouncycastle hates null values. So, set them to blank
            // if they are null
            byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
            certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DEROctetString(value));
        }
    }
    JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNATURE_ALGO).setProvider(BC_PROVIDER);
    ContentSigner signer;
    try {
        signer = builder.build(reader.getCaKey());
    } catch (OperatorCreationException e) {
        throw new IOException(e);
    }
    // Generate the certificate
    return new JcaX509CertificateConverter().getCertificate(certGen.build(signer));
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERSequence(org.bouncycastle.asn1.DERSequence) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) NetscapeCertType(org.bouncycastle.asn1.misc.NetscapeCertType) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Example 7 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapterTest method testSpecificLargeContent.

@Test
public void testSpecificLargeContent() throws IOException {
    Set<Product> products = new HashSet<>();
    products.add(largeContentProduct);
    largeContentProduct.setProductContent(null);
    for (Content content : largeContent) {
        largeContentProduct.addContent(content, false);
    }
    consumer.setFact("system.certificate_version", "3.3");
    Set<X509ByteExtensionWrapper> byteExtensions = certServiceAdapter.prepareV3ByteExtensions(product, getProductModels(product, products, "prefix", largeContentEntitlement), "prefix", null);
    Map<String, X509ByteExtensionWrapper> byteMap = new HashMap<>();
    for (X509ByteExtensionWrapper ext : byteExtensions) {
        byteMap.put(ext.getOid(), ext);
    }
    assertTrue(byteMap.containsKey("1.3.6.1.4.1.2312.9.7"));
    List<String> contentSetList = new ArrayList<>();
    try {
        contentSetList = v3extensionUtil.hydrateContentPackage(byteMap.get("1.3.6.1.4.1.2312.9.7").getValue());
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    assertEquals(largeContent.size(), contentSetList.size());
    for (String url : largeTestUrls) {
        assertTrue(contentSetList.contains("/prefix" + url));
    }
    List<String> testList = Arrays.asList(largeTestUrls);
    for (String url : contentSetList) {
        assertTrue(testList.contains(url.substring(7)));
    }
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) Matchers.anyString(org.mockito.Matchers.anyString) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ExpectedException(org.junit.rules.ExpectedException) CertificateSizeException(org.candlepin.util.CertificateSizeException) IOException(java.io.IOException) ProductContent(org.candlepin.model.ProductContent) Content(org.candlepin.model.Content) EnvironmentContent(org.candlepin.model.EnvironmentContent) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 8 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapterTest method testSingleSegmentContent.

@Test
public void testSingleSegmentContent() throws IOException {
    Set<Product> products = new HashSet<>();
    products.add(largeContentProduct);
    largeContentProduct.setProductContent(null);
    largeContentProduct.addContent(createContent(CONTENT_NAME, CONTENT_ID, CONTENT_LABEL, CONTENT_TYPE, CONTENT_VENDOR, "/single", CONTENT_GPG_URL, ARCH_LABEL), false);
    consumer.setFact("system.certificate_version", "3.3");
    Set<X509ByteExtensionWrapper> byteExtensions = certServiceAdapter.prepareV3ByteExtensions(product, getProductModels(product, products, "", largeContentEntitlement), "", null);
    Map<String, X509ByteExtensionWrapper> byteMap = new HashMap<>();
    for (X509ByteExtensionWrapper ext : byteExtensions) {
        byteMap.put(ext.getOid(), ext);
    }
    assertTrue(byteMap.containsKey("1.3.6.1.4.1.2312.9.7"));
    List<String> contentSetList = new ArrayList<>();
    try {
        contentSetList = v3extensionUtil.hydrateContentPackage(byteMap.get("1.3.6.1.4.1.2312.9.7").getValue());
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    assertTrue(contentSetList.contains("/single"));
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) Matchers.anyString(org.mockito.Matchers.anyString) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ExpectedException(org.junit.rules.ExpectedException) CertificateSizeException(org.candlepin.util.CertificateSizeException) IOException(java.io.IOException) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 9 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapter method createX509Certificate.

// TODO: productModels not used by V1 certificates. This whole v1/v3 split needs
// a re-org. Passing them here because it eliminates a substantial performance hit
// recalculating this for the entitlement body in v3 certs.
public X509Certificate createX509Certificate(Consumer consumer, Owner owner, Pool pool, Entitlement ent, Product product, Set<Product> products, List<org.candlepin.model.dto.Product> productModels, BigInteger serialNumber, KeyPair keyPair, boolean useContentPrefix) throws GeneralSecurityException, IOException {
    // oidutil is busted at the moment, so do this manually
    Set<X509ExtensionWrapper> extensions;
    Set<X509ByteExtensionWrapper> byteExtensions = new LinkedHashSet<>();
    products.add(product);
    Map<String, EnvironmentContent> promotedContent = getPromotedContent(consumer);
    String contentPrefix = getContentPrefix(consumer, owner, useContentPrefix);
    if (shouldGenerateV3(consumer)) {
        extensions = prepareV3Extensions();
        byteExtensions = prepareV3ByteExtensions(product, productModels, contentPrefix, promotedContent);
    } else {
        extensions = prepareV1Extensions(products, pool, consumer, ent.getQuantity(), contentPrefix, promotedContent);
    }
    Date endDate = setupEntitlementEndDate(pool, consumer);
    ent.setEndDateOverride(endDate);
    Calendar calNow = Calendar.getInstance();
    Calendar calMinusHour = Calendar.getInstance();
    calMinusHour.add(Calendar.HOUR, -1);
    Date startDate = pool.getStartDate();
    if (pool.getStartDate().getTime() > calMinusHour.getTime().getTime() && pool.getStartDate().getTime() < calNow.getTime().getTime()) {
        startDate = calMinusHour.getTime();
    }
    X509Certificate x509Cert = this.pki.createX509Certificate(createDN(ent, owner), extensions, byteExtensions, startDate, endDate, keyPair, serialNumber, null);
    return x509Cert;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Calendar(java.util.Calendar) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) EnvironmentContent(org.candlepin.model.EnvironmentContent) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate)

Example 10 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultContentAccessCertServiceAdapter method createX509Certificate.

public X509Certificate createX509Certificate(Consumer consumer, Owner owner, BigInteger serialNumber, KeyPair keyPair, Date startDate, Date endDate) throws GeneralSecurityException, IOException {
    // fake a product dto as a container for the org content
    org.candlepin.model.dto.Product container = new org.candlepin.model.dto.Product();
    org.candlepin.model.dto.Content dContent = new org.candlepin.model.dto.Content();
    List<org.candlepin.model.dto.Content> dtoContents = new ArrayList<>();
    dtoContents.add(dContent);
    Environment environment = this.environmentCurator.getConsumerEnvironment(consumer);
    dContent.setPath(getContentPrefix(owner, environment));
    container.setContent(dtoContents);
    Set<X509ExtensionWrapper> extensions = prepareV3Extensions();
    Set<X509ByteExtensionWrapper> byteExtensions = prepareV3ByteExtensions(container);
    X509Certificate x509Cert = this.pki.createX509Certificate(createDN(consumer, owner), extensions, byteExtensions, startDate, endDate, keyPair, serialNumber, null);
    return x509Cert;
}
Also used : ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) X509Certificate(java.security.cert.X509Certificate) Content(org.candlepin.model.Content) EnvironmentContent(org.candlepin.model.EnvironmentContent) Environment(org.candlepin.model.Environment) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper)

Aggregations

X509ByteExtensionWrapper (org.candlepin.pki.X509ByteExtensionWrapper)10 IOException (java.io.IOException)6 ArrayList (java.util.ArrayList)6 HashMap (java.util.HashMap)6 EnvironmentContent (org.candlepin.model.EnvironmentContent)6 Product (org.candlepin.model.Product)6 UnsupportedEncodingException (java.io.UnsupportedEncodingException)5 GeneralSecurityException (java.security.GeneralSecurityException)5 CertificateExpiredException (java.security.cert.CertificateExpiredException)5 HashSet (java.util.HashSet)5 Content (org.candlepin.model.Content)5 CertificateSizeException (org.candlepin.util.CertificateSizeException)5 Test (org.junit.Test)5 ExpectedException (org.junit.rules.ExpectedException)5 Matchers.anyString (org.mockito.Matchers.anyString)5 ProductContent (org.candlepin.model.ProductContent)4 X509ExtensionWrapper (org.candlepin.pki.X509ExtensionWrapper)4 X509Certificate (java.security.cert.X509Certificate)3 LinkedHashSet (java.util.LinkedHashSet)3 Calendar (java.util.Calendar)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial